This blog started as merely a means of describing who was behind certain spam campaigns and which illicit products they were selling illegally. Now it's more of an overall examination of how spam is merely one part of international organized crime.

Tuesday, September 18, 2007

Among the myriad spam messages I receive from the Russian criminals behind "Canadian Pharmacy", came this idiotic missive:

There's a lot of information online but people continue to ask us whether they can trust online drugstores.

We present you the official results of the research made by Independent Research Organization.

All medications are supplied from the leading manufacturers known in pharmaceutical field. The selection of drugs is impressive.

"Canadian Phamacy" site

http://makeseveral.cn

Our major goal is to make your life easier and happier!

Lora Goulette

Also this one for Elite Herbals, from the same individual spammer if not the same exact criminal organization:

http://cyece.com/Greeting INFOWhoever said that Doctors are the only ones that can treat all health =related matters obviously never did their homework..

debbie Wayt

As everyone has mentioned before: spammers lie. They lie constantly. They lie with every single word that they send us, and every website that they build. These messages are no different.

Doctors, as we all know, are "the only ones that can treat all health related matters." The statement from these spammers is a flat-out lie. They know this. They don't care.

There is a lot of information online. But that information very stringently recommends against purchasing pharmaceuticals online, especially the more dangerous ones. Viagra most definitely falls into this category due to its vascular and hormonal side effects.

They obviously are presenting us no "results of the research" (who, precisely is the "Independent Research Organization"? Could they be any more obvious in their lies?)

As we all know: their "major goal" is not to make our lives easier and happier. Their major goal is to drain our wallets and bank accounts, and possibly to kill us all in the process. The number of reported deaths this year due to fake or counterfeit pharmaceuticals has risen to a point where news media outlets are reporting them more often, and with a broader spotlight. It's not merely a band of clandestine reporters focused on illegal spammers and their dangerous and provably lethal "products", it's Reuters, the New York Times, the Canadian Press, and of course Law Enforcement entities around the world.

Today, the Canadian Press released a news story that was on the front page of a very popular daily newspaper in my city. The story is available here and is definitely worth a read. That daily paper is read by some 300,000 people in my city. That's only one of several major newspapers which carried the story.

Canadian Pharmacy's days have got to be numbered. It's been ages since I saw anything from the My Canadian Pharmacy, or International Legal RX sites. The Russian morons behind this patently illegal operation have chosen to focus almost exclusively on the Canadian Pharmacy front end. I'm watching them, and so are many members of law enforcement. They are becoming increasingly desperate in their attempts to get a message past spam filters. (Neither of the messages above did, by the way.) They have co-opted templates from major email campaigns from legitimate companies in the hopes of both poisoning those companies' whitelist status, and planting even more spam in your inbox instead of your spam folder.

Consumers have overwhelmingly made it clear that they don't want to keep seeing this crap, but these Russian scumbags don't care. They think it's their right to continue sending dozens of messages repeatedly every day to millions of people who have already stated very firmly: we don't want this.

What kind of brilliant minds are behind this obviously misguided marketing technique? This is absolutely the stupidest methodology I've ever heard of. And it probably isn't even working, judging by how quickly the sites go down and how varied the message style seems to be.

Don't ever purchase anything from these criminals. You'll be funding what amounts to terrorists in my opinion, and very likely endangering your health. You also are very likely to have your personal data stolen. These assholes run phishing websites on the side and have ties to child porn operations. If you think they're careful with your personal data you are in for a very rude awakening.

Until I stop seeing spam from Canadian Pharmacy and their family of illegal websites, I will not stop warning people never to spend their money there.

Monday, September 17, 2007

So as I mentioned, Nick Danger (aka: Marion Sidney Lynn) has been blabbing away on NANAE regarding the alleged treasure trove he claims to have regarding the personal data of several high-ranking members of Bulkerforum.biz.

On Sept. 15th, he created what appears to be a very crude site outlining the personal data and recent malicious activity of bulkerforum member "lizza", who he claims is actually named Stephen Joseph. He posted a new entry to NANAE featuring a link to his glorious creation. I thought I'd take a gander and outline some of the details of the posting here in the event it all goes down (which these things have a nasty habit of doing.)

As I mentioned before: Nick Danger is both a gasbag and a small fry, and my subsequent research, tempered with his own blatherings, has borne out that he probably hasn't ever sent email 1 for promotional purposes. This doesn't preclude him from acting illegally of course. Aggravated identity theft and fraud, not to mention stock manipulation, are still very serious crimes -- at least: the last time I checked. He's still never disavowed performing any of those acts despite boasting loudly on bulkerforum about alllll the sordid instructions concerning how to do so and never get caught.

So. First off, here's a screenshot of the site as he created it (oh and of course, this is definitely NSFW, knowing mr. Danger's prowess with the profanity):

[Edit, June 2008: Due to changes at HideBehind, this screenshot is missing. It will be re-uploaded momentarily.]

Note: it's rather long. This is Marion Lynn we're talking about. The man needs to hire an editor. I have an entire copy of the page should anyone require its full contents. I have not altered a single line of it.

In the lengthy one-pager, he outlines where Lizza / Joseph lives, and that on a certain night between 1:13 AM and 1:21 AM, lizza boasted about ddos'ing or otherwise attacking the bulkerforum website, at ip address 201.0.8.247. That IP address is in Brasil, and is one of five ip addresses which the forum has routinely bounced between since I started doing my own research on them (Sep. 2006.)

He alleges that Joseph lives in Chula Vista, California. How does he know this? Likely from a variety of lengthy conversations they may have had via a variety of means. It sounds like Marion and Steve had some kind of close contact in the past while. I'm not sure what that would be regarding but it certainly seems to point that way.

He also divulges one of lizza's email addresses (steve_joseph87@yahoo.com). I'm sure by now even lizza doesn't even use email for any legitimate communication, thanx to the damage done to that medium by scumbag spammers like him.

The more interesting stuff is in the variety of postings which Marion has posted below that. It's a lengthy re-posting of what appear to be forum postings from a variety of members. I'm not sure if this is from bulkerforum or what, but there are conversations between a variety of members. It's possible that these are even private messages from bulkerforum, or another forum. I can't be sure. The members which are quoted include:

lizza

icanspam

Third Eye

How did he get this information? And who gave it to him?

He also divulges that lizza (on bulkerforum) also goes by the usernames "Flores9xxx" and "nugs". In the previous NANAE posting he also lists the usernames "proyboy", and the nick names "Stevie" or "shorty". He also claims (apparently erroneously) that lizza also went by the name "seven" at one point.

Then "Nick Danger" claims to be quoting a pm between lizza and himself, but using the username "Third Eye". He goes into a great deal of detail about lizza's connection to a company called Lead Point (leadpoint.com. lizza claims that's a red herring but who knows? This is either good research or a massive, meandering wild goose chase.

Also: Does everyone on bulkerforum have this many usernames and aliases?! It's a bit ridiculous event to me. You'd think this was the Lucchese crime family family for god's sake.

Finally: the geocities site makes it clear that bulkerforum appears to be a leaky boat at the very least, and that several higher-up members seem to be sharing private member information in a very loose fashion. Nick Danger wants to make it sound like a problem of some urgency ("IS PHANTOM GIVING OUT YOUR INFO?", etc.) but again: since phantom barely ever says anything on there lately, it's hard to be sure whether Nick is on the right track or not. But clearly: somebody got this info via some means unknown to members of that forum, and it somehow made its way to Marion Lynn. I guess only he will know who gave it to him, or when, or why. I don't personally care. As long as law enforcement are watching all of this it's just fine by me. :)

Since the chat transcript makes it at least semi-clear that lizza is willing to perform a cyber attack against a forum he's already a member of (!!), this makes him a pretty prime target for folks like me whose forum is currently under an anonymous sustained attack (week #5, and my threat still stands.) As I mentioned, this is only one of several attacks currently underway.

So I have handed all of this over to law enforcement in the event it turns out to be useful. :)

I personally feel that the sustained attacks against all of the spam and fraud research sites are being coordinated from Russian sources, and I am narrowing down a list of who that might be. I'll obviously post more as I get it. (Though not before notifying several legal channels first.)

I've also begun several investigations into the background of Steve Joseph / flores99x / nugs / lizza in the event anything can be turned up in that regard. He probably knows enough shady scumbags to pull off one or more of these types of events.

Lizza has always struck me as easily the most paranoid of the bulkerforum members (a close second would be phantom or Crypto, but they now post so seldom it's impossible to tell anymore.)

An aside: a representative of spamhaus named Susan responded to Nick Danger's NANAE posting (linked above), referring to bulkerforum member phantom as "the Australian megalomaniac". That's tantalizing. He rarely gives up any information whatsoever, so I'm digging into that also. (And handing whatever I find over to Spamhaus and Australian law enforcement, if that's where he truly is located.)

This is a bad year to be a spammer of any sort. By my count there have been 7 major arrests just since March of 2007, and three very large-scale court cases (two of which are still pending.) On a daily basis we see new news items of several investigations discovering new suspects and illegal operations, all fed by spam. It's a zero-sum game which just appears to be taking longer than usual to be taken down from the inside out. Why on earth would anyone knowingly become an email spammer in this climate? Why would anyone want to keep doing it? The profits are outweighed by the obvious risks. Apparently nobody in that community appears to be aware of any of this.

Which is a good thing, ultimately. I hope they lock up the whole lot of them and throw away the key. I've never in my life been bombarded on such a frequent basis by illegal advertisements from such a huge group of idiot scum in my entire life.

Wednesday, September 12, 2007

One would have to assume that the recent arrests, convictions, charges, domain and DNS reporting, and general retaliation against several hundred spam operations has finally had the desired effect on these scumbag's bottom line.

As I write this, numerous websites are under sustained attacks from a botnet numbering in the hundreds of thousands (very likely the Storm Worm botnet.):

Castlecops

KillSpammers

Spamnation

aa419.org

419eater.com

spamhaus.org

Several of them are mitigating the attacks, some with a great deal of success.

Whoever it is that's doing this, you sure are exposing yourself by attacking so many anti-spam websites in one go. But since you're an idiot, you probably didn't think about covering your tracks very well.

If you think we won't find you: you're wrong.

If you think international law enforcement isn't watching this: you're wrong.

I will start releasing VERY personal data on known spammers very soon if this attack doesn't stop, one way or another. Damaging personal information which will make life very very difficult for several known spammers and their business interests. It might be here on this blog, or on any number of other blogs, or it might just be via clandestine messages to private individuals who you likely do not want this information getting to.

If you think I'm kidding around: you're wrong.

Keep it up. For all the stealth you're employing during this attack, you might as well walk into the middle of a public square, drop your pants and scream out: "Look at me! I'm a DDOS attacker! I am so dangerous!" What kind of childish idiots are you?

One day, very soon, your profits are going straight into the toilet. We all know this. You can cry about it via DDOS'ing all you like: it changes nothing.

Wednesday, September 5, 2007

Why are registrars allowing blatantly fake information to be provided when registering a domain name?

Right now, with virtually any registrar you care to name, you can register a domain name using the name Mickey Mouse and you'll probably be approved. You can do so without ever speaking to a representative of the company who's registering the domain, and your hilarious fake registrant entry will indeed show up once your domain is approved.

Why is this the case?

For several years now, I and several of my colleagues have been documenting and reporting domains used by illegal pharmacy spammers which were registered using the following completely fake personal data:

175 Montreal Road is actually the address of a single level building housing the Playmate Club, a strip joint on the outskirts of Ottawa. Nobody at that address has ever heard of anyone named "Paul Gregoire."

That phone number leads to nothing but a voicemail box with the robotically slow voice prompt: "Garrrrry..... Reeeed". Nobody will ever call you back if you leave a message there. The postal address is a UPS dropoff location in a tiny mall in Vancouver. Nobody there has any record of anyone named Gary Reed on any of their customer lists. (It's a small list.)

Another bogus address. Nobody there has ever heard of this alleged person either. Phone number never connects.

I could go on and on. Others have. Do a search for Paul Gregoire and you see nothing but complaints about spam, and yet on a daily basis several thousand new domains continue to be registered using this completely fake identity. This is simply not acceptable.

If I know right now that I can register any domain I want - like for example "isellfakeproductsillegally.com" - using whatever I want as the personal data, what kind of recourse is there for ordinary citizens to shut down these domains? In the real world, you have to be a living, breathing human being to register a business, and you have to be reachable via tangible physical means, whether that's a postal address, a phone number or a fax number. If not: it throws into question your ability to be trusted, as it should. No such boundaries exist in the domain registration game, which is really a shame since it's the biggest loophole which illegal spammers use to get around having to be held accountable for anything.

Several recent domains were registered using laughably fake personal information, and several hundred thousand domains were all registered and approved even though their only contact phone numbers was (555) 555-5555. Take this one for example

That actually becomes a lot easier to track down thanks to the fact that the phone number doesn't exist, and the email address never responds to a single query as to its legitimacy. It helps to have friends who are familiar with Chinese naming, though. That is a laughably fake name.

Of course, as usual, that email address is pointlessly fake.

If I were out to overhaul any one point of contact in terms of how scammers get away with profiting via sales of illegal drugs, domain registration is the first place I'd start. Want to register a domain? You have to do it manually, and you have to wait for me to verify that you are who you say you are. This would be via phone first, email second. If that fails: no go, buddy. Try again. Further: once I have verified that you are who you say you are, re-verify whenever a change is made. Real, legitimate businesspeople will generally have no problem with this. Scammers definitely will.

I'd also ensure that the whois data contains a genuine abuse contact, which is active and does respond, and not just to test contacts.

Why more registrars are not doing this is beyond me, but rest assured criminal spammers are abusing this gaping loophole in the process. They are well aware that it takes several days of contact to get through to a registrar that something is amiss with a domain which is being used in a rampant spam campaign. They also know that in the time it takes to get someone's attention, investigate the issue, attempt to contact the fake domain and eventually (hopefully) shut it down, they will already have profited several thousand dollars. Large-scale criminals lose very little money from the way things work today. This has to change. Failing tha: ICANN really needs to step up and enforce their accreditation rules. Registering a domain with false contact information is flatly fraudulent behavior.

SpamIsLame

About Me

I am an independent fighter of those who choose to spam illegally, promoting either fake or illegal products to an unsuspecting public. Like most people, I despise illegal spammers and I will continue to spread knowledge on how to impact their ability to profit from spamming. There is a difference between "marketing" and spamming. Those who claim otherwise are idiots.